Windows 10: Always On VPN DNS resolution problem

Hi

we set up Always On VPN in force-tunnel mode. Server side is RRAS on Win Server 2019, client is Win 10.

The customer use split DNS, that means the same FQDN points to a different IPs depending if you are in an inside or outside network.

Everything works fine but there is a strange issue with DNS resolution.

One would expect that in force-tunnel mode all the network traffic goes to the VPN tunnel. But for DNS requests you can observe, that there are DNS requests to the internal DNS servers like expected but also to the DNS servers configured on the LAN interface.

It looks like Win 10 asks all the DNS servers and selects one of the responses if there are different responses. It seems to be the response from the DNS server on the interface with the lowest metric.

The VPN client changes the metric as soon as the VPN tunnel is up.


metrics while VPN is down




metrics when VPN is up





as we can see the metric of the Ethernet interface has changed from 25 to 4250. Therefore VPN CL06 VPN Verwaltung has now the lowest metric and we would expect that DNS responses from the internal DNS servers will be used.

But we still see the DNS response from the DNS server configured on the Ethernet interface. Because we have to access the internal server the DNS response returns the wrong IP.

After some research we found that we should disable IPv6 on the LAN interface. And this works -> now DNS resolves the internal IP.

This seems to be very strange.

Next we changed the metric of IPv6 of the Ethernet interface from 25 to 100 and enabled IPv6 again.



... and it works too

There is no IPv6 connectivity on the Ethernet interface nor on the VPN. We sniff the traffic on Ethernet interface and see only IPv4 DNS traffic.


Any idea why this behavior could make sence?

For me this seems to be a bug.

Thomas

:)

 

Win 10: DNS resolution of remote network via VPN connection not working

Changing the metric worked for me, but my situation was a little different:

DNS resolution with my VPN had been working flawlessly with Win10 (first with Preview, then with RTM, always kept up-to-date) using Dell SonicWALL NetExtender (currently version 7.5.223)

Then this morning DNS resolution with my VPN stopped working suddenly. I hadn't explicitly made any changes or installed any updates or software. Perhaps an automatic update broke things.

Though the VPN still connected fine, and though the interface binding order HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Linkage\Bind was properly updated on connection of the VPN (i.e. the VPN's interface was added to the top of the list),
NSLOOKUP would use my LAN's DNS servers rather than the VPN's DNS servers. The VPN client was however showing properly-configured DNS servers.

In my case I was unable to open TCP/IPv4 properties for the "SonicWALL NetExtender" interface: the "Properties" button was displayed as being active, but clicking on it did nothing / did not open a properties dialog.

So instead I went to TCP/IPv4 properties for my Ethernet interface, clicked Advanced, and unchecked "Automatic metric", and assigned an arbitrary metric of 100.

After doing this DNS resolution once again works properly: When the VPN is connected the VPN interface's DNS servers are used. When the VPN is not connected, the Ethernet interface's DNS servers are used.

 

Win 10: DNS resolution of remote network via VPN connection not working

I can confirm that I also have the issue. To resume:

- Windows VPN does not try to resolve hostnames with the remote DNS, with or without split-tunneling enabled. It always uses the DNS defined on the local network card.

- Issue is new to Windows 10, Windows 8.1 was working correctly with the exact same VPN configuration.

- Split-tunneling has nothing to do with the issue as the local DNS setting is used in both scenarios to resolve hostnames which is wrong. Hostnames should be resolved by the remote DNS. By the way, there is a bug in the VPN GUI of Win 10, it is not possible
to access the dialog to change the split-tunneling configuration. It can only be done through PowerShell.

- Even if IPV6 might be involved in the issue, I have never touched the default IPV6 config under Win 8.1 and DNS always worked correctly. It should be the same with Win 10.

- With nslookup we can clearly see that it uses the DNS of the NIC and not the one pushed by the VPN. nslookup under Win 8.1 uses the VPN defined DNS.

Microsoft, please address this issue as this is a showstopper for enterprises using the integrated Windows VPN. It is broken!

UPDATE 1: problem is actually a bit different than what I thought, DNS resolution works IF you don't use the FQDN of the internal machine you want to reach. The funny thing is that "ping mymachine" will return as a result "mymachine.mycompany.com".
But trying to ping "mymachine.mycompany.com" does not resolve since it uses the locally defined DNS. So the problem is with the DNS filter, it does not use the DNS suffix search list to decide where the DNS query should be sent.

UPDATE 2: problem is not specific to Windows VPN, SonicWALL NetExtender VPN has the same issue. So it's the DNS resolver which is common to all VPNs that has the issue.

UPDATE 3: DirectAccess is also not working, also seems related to the DNS issue. Looking at the DirectAccess Troubleshooter log there are various unresolved hostname errors.

 

Vpn ( trusted Vpn)

Hi everyone.
I am not an expert about Vpn and that's why I would like to know if someone could list me a few trusted Vpns, I would really appreciate any suggestion/ advice.

Thanks.